Embed Size (px)
Citation preview
1
Cryptography:Proofs and Tools
Gerard TelDept of Computer Science, Utrecht
2
Talk overview
Part 1: Proofs Definition and existence Proofs with numbers Numbers versus “Ad hoc”
Part 2: Tools Signature schemas Zero knowledge proofs Secret Sharing
3
Cryptography:
The art of protection using information
To have or
not to have….
To know or
not to know
4
Two examples
Encryption (DES) Alice sends email
y = Ek(x) Bob computes
x = Dk(y)
Oscar knows no k : which D function?
Identification with One-way function H A gives Bank b =
H(a) Bank pays on seeing
a’ s.t. H (a’ ) = b
O knows no a’
5
Two more examples
Signatures Alice signs M with x
S = Sig (M, x) Bob verifies with y
Ver (M, S, y)
Oscar cannot forge S’ for M’ s.t. Ver (M’ , S’ , y)
Public Key pairs Alice holds secret x Bob holds public y
Relation P (x, y)
Oscar cannotcomputex from y
6
I recognize it when I see it ....
Encryption: k s.t. Dk(y) is text
Identification: a’ s.t. H (a’ ) = b
Signatures: S’ s.t. Ver (M’ , S’ , y)
Key pair: x s.t. P (x, y)
7
…. But I don’t know it
8
Assumption: Factoring
Primes p and q (eg. 512 bits)
n = p . q (1024 bits)
Given n, one recognizes p and q
Assumption:Given n, computing p is impossible
9
Assumption: Discrete Log
Compute modulo large p : 0, 1, …, p -1Element g has order:
1 = g0, g1, g2, g3, … gord = 1Fix g of high order.
From x, power y = gx is computableAssumption:
From y, x s.t. y = gx is not computable
10
Rabin’s encryption
Alice’ secret key: p and qpublic key : product n
Bob encrypts x as y = x2 mod nAlice decrypts as extracting
square rootp and q are needed!
Oscar can not extract roots
11
Square roots modulo n
A square number has 4 rootsn = 77 = 7.11 :
362 = 64 (1296 mod 77) 36, 41, 8, 69 have square 64
Two pairs: 36 = -41 and 8 = -69Combine from two pairs: 41 + 69 =
33gcd(33, 77) = 11
12
Rabin: Provably Secure
If Oscar can find x from x2 = y mod n Select random z Solve x from x2 = z2
Prob. 1/2: x and z differ: find p and q
Contradicts Factoring Assumption
Rabin is cryptographically strong
13
Chosen Cipher text Attack
Procedure for CCA: Oscar sends Alice y, obtains x, computes
Rabin is vulnerable: Oscar sends y = z2
succeeds with Pr = 1/2
Decrypted messages as sensitive as key
Weakness inherent in strength
14
RSA: Alledgedly secure
Similar but use higher order roots.Public key: (n, e)Encryption y = xe
Decryption x = yd (d from p, q)
e th-rooting is believed but not proven to be as hard as factoring
15
RSA Decryption
φ = (p -1)(q -1)All x : x φ = 1 (mod n)From p, q, n, e,
compute d s.t. e.d = k . φ +1
y d = (x e )d = x k . φ +1 = 1k . x = x
Secretly keep d, purge p, q.
16
RSA Keys are secure
Oscar finds φ from n: p +q = n - φ + 1, solve p, q
Oscar finds φ from n and e : Simulate generation of e to do without
Oscar finds d from n and e : n
e, d p, q
Key protection is cryptographically strong
17
Ad hoc versus Numbers:Hash functions
Map H : {0,1}* {0,1}k
One-way: From y = H (x), x cannot be found
Collision-free:
No x1, x2 can be found s.t. H (x1) = H (x2)
Such x1, x2 exist
18
Fair Guessing Games
Linda dates Jon if Jon guesses parity of x L chooses x and gives
y = H (x) J guesses even/odd L reveals x
Cheating y doesn’t reveal x to Jon
one-way y binds Linda
collision-free
19
Bit manipulation: MD5
How does it work XOR, AND, OR
words Combine with sin
bits Four rounds in
Why does it workWhy four rounds
MD4 background
Why this combination Attacks on variants
Why is it secure? We don’t know
20
Discrete Log Hash (Chaum)
How does it work Select g, random h.
:
f (x, x’ ) = gx.hx’
Why does it work log(h ): a s.t. g a =
hwill never be known
f (x, x’ ) = f (y, y’ )
gx . hx’ = gy . hy’
a = (x - y )(y’ - x’ ) -1
Cryptographically strong collision free
21
Trapdoor Hash
Cheat in generation of f. Select h = g a instead of random h.
Collision: g x . h x’ = g x - a.z . h x’ + z
Trapped f remains cryptographically strong one-way.
22
Questions?
23
Gerard Tel, Part 2:
Cryptographic Tools: Signatures Zero knowledge Secret Sharing
24
Digital Signatures
Alice signs message M : S = Sig (M, x)Bob verifies signature S : Ver (M, S, y )Validity: Ver (M, Sig (M, x), y )
Forgery: Oscar finds M, S : Ver (M, S, y )
25
RSA Signatures
Public/Secret key: (n, e) and (n, d ) Functions x x e and y y d are
inverses
Sign M : S = M d (compute)Verify S : S e = M (check)
Forge signature under M : Invert RSA public function
26
Existential Forgery
Oscar: random S, M = S e.
M takes special form ………01010101010101 Hash of longer message
27
Blind Signatures
Alice signs one message without seeing it Bob has M, selects blinder b Bob gives Alice blinded message M’ =
M . b Alice signs for Bob: S’ = M’ d
Bob unblinds: divide by b d.
28
Blind Signatures
Alice signs one message without seeing it Bob has M, selects blinder b = k e
Bob gives Alice blinded message M’ = M . b Alice signs for Bob: S’ = M’ d
Bob unblinds: divide by b d
S = S’ / kSimilar: Blind decryption
29
Zero knowledge proofs
Identification by secret A gives Bank b = H (a) Bank pays on seeing a
If Alice shows a:employee, eavesdropper become as powerful.
Alice proves to know a without showing
30
0KP of a Square Root
Alice holds a, Bob holds b = a 2
Withdrawing of money: Alice selects s = r 2 and gives Bob s Claim: I know roots of s and s.b
This is true namely r and r.a
This implies knowing a as quotient of roots
31
Verify knowing two roots
Bob sees one! Otherwise becomes too smart
Challenge c = 0/1 Alice must give one root:
r of s (c = 0)r.a of s.b (c = 1)
Oscar does not know both Fails with Pr = 1/2.
32
What does Bob learn?
Triple (s, c, y) s is random squarec is random bity solves y 2 = s . b c
To generate such, choosec as random bity as random numbers as y 2 / b c
33
How can it convince?
Compute order s, c, y : needs aCompute order c, y, s : don’t need a
Protocol enforces s, c, y Transcript doesn’t show order.
34
Zero knowledge proofs
20 rounds: 1-in-million false acceptance
Similar: e th root or logarithmAlso: Graph coloring
Use with blind signatures: Bob proves blinded message is legal
35
Secret Sharing
Goal: share holders together know aShares handed out by dealer
Share: related to ak -1 shares reveal nothingk shares reveal all
in reconstruction
36
Concepts in Sharing
Use: Bank, company Nuclear heads Digital money Key escrow
How many shares Veto (split) Threshold (share)
Protection Perfect
(poor!) Verifiable
Actions with secret Reconstruction Use
37
Additive secret splitDealing:
a1 … ak-1 random
ak = a - a1 - … - ak-1
ak is no better
Reconstruction: a = a1 + … + ak
Symmetric!
• Shares cannot be recognized
• Given k - 1 shares, every a is still possible
• “Real Cryptography”: Perfect Split
38
Using shared exponent
Secret is exponent a (e.g., for RSA)Shares: a = a1 + … + ak
To compute y a: Shareholder i submits xi = y ai
Compute x = x1 . … . xk
Use of secret does notcompromise splitting
39
How perfect is perfect?
Shares cannot be recognized Shareholders may cheat
Verifiable reconstruction (hash H ): Compute ai and bi = H (ai )
Give ai to SH i and make bi public
Verified reconstruction: SH i submits ai
Check H (ai ) = bi
40
Dealer verifiable split
Number hash H (a) = g a
The dealer Publish b = g a
Private share ai (sum a)
Public share bi = g ai
Send ai to SH i
Verifiable sharesThe shareholders
b binds dealer! secret is recognizable
Verify product = b Verify g ai = bi
Reconstruction Verify submissions
41
Perfect Secret Shares
Theorem: through k points runs exactly one curve of degree k - 1
Dealing: select a1 through ak-1 , a0 = a f (z) = a0 + a1.z + … + ak-1.zk-1
Share si is f (i )
Reconstruction from k points: polynomial interpolation
42
Verifiable Secret Sharing
Dealer: Private coefficients a0 through ak-1
Private shares si = f (i )
Public coefficients bi = g ai
Public shares pi = g si
Shareholderssi = a0 + a1.i + … + ak-1.i k-1 Global pi = b0 . b1
i. b2i . … . bk-1
i
Internal gsi = pi
k - 12
43
Conclusions
Numbers as basis for cryptographyMost of cryptography is unprovenResults are often counterintuitive
“Elluk voordeel hep se nadele”
